通过嵌套在控制器中继承资源的 Cancan 能力
我继承了控制器中工作的资源,并使用 cancan 进行授权。但是,我在编写所需的能力时遇到了问题。
我可以通过两种方式显示特定订单:
/profile/123/orders/321
/store/456/orders/321
在控制器中:
class OrdersController < ApplicationController
inherit_resources
belongs_to :profile, :store, :optional => true
load_and_authorize_resource
...
end
角色是:用户(模型中的has_one:配置文件)和经理(模型中的has_one:存储)
要求(用文字)是:
- 经理可以在上下文中显示订单(属于)他的 店铺。
- 经理无法在任何用户的上下文中显示订单 配置文件(应拒绝访问)
- 用户可以在以下位置显示订单 他的个人资料的上下文
- 用户不能在任何上下文中显示订单 store(被拒绝)
我无法满足这些要求,也许我应该以特殊方式或实际上以两种方式加载资源?直觉告诉我,在这两种情况下,对订单的访问应该基于对父资源的访问。 谢谢你的帮助。
I have inherited resources working in my controllers and I use cancan for authorization. However, I have a problem writing required abilities.
I can display particular order in 2 ways:
/profile/123/orders/321
/store/456/orders/321
in controller:
class OrdersController < ApplicationController
inherit_resources
belongs_to :profile, :store, :optional => true
load_and_authorize_resource
...
end
Roles are: user (has_one :profile in Model) and manager (has_one :store in Model)
The requirements (in words) are:
- Manager can display order(s) in context of (that belongs to) his
store. - Manager cannot display order(s) in context of any user's
profile (Access should be denied) - User can display order(s) in
context of his profile - User cannot display order(s) in context of any
store (denied)
I couldn't meet these requirements, maybe I should load resource in special way or actually in 2 ways? Intuition says to me, that access to orders should be based on the access to parent resource in both cases.
Thank You for help.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
如果您在ability.rb 文件中拥有个人资料和商店的权限,那么您也可以只授权父级。即像这样:
或者您可以按照 CanCan wiki 中的描述进行操作:
多态关联
假设任务可以通过多态关联分配给项目或事件。可以将数组传递到 :through 选项中,它将使用找到的第一个数组。
在这里,它将检查 @project 和 @event 变量,并通过存在的变量获取任务。请注意,这只是加载父模型,如果您想授权父模型,则需要通过 before_filter 来完成,因为涉及特殊逻辑。
If you have rights in your ability.rb file for profile and store, then you can just authorize parent too. I.e. something like this:
Or you can do as it described in CanCan wiki:
Polymorphic associations
Let's say tasks can either be assigned to a Project or an Event through a polymorphic association. An array can be passed into the :through option and it will use the first one it finds.
Here it will check both the @project and @event variables and fetch the task through whichever one exists. Note that this is only loading the parent model, if you want to authorize the parent you will need to do it through a before_filter because there is special logic involved.